Securing your Amazon Web Services (AWS) environment is crucial to protect your data and resources. In fact, we consider cloud configuration management to be one of the top cybersecurity controls of 2023. AWS has a wide breadth of services, and securing them all can be a daunting task. At the time of writing, AWS has 240 cloud products! That is a big list of potential items to identify and protect. To help you navigate this challenge, we’ve put together an AWS security best practices checklist that will help you reduce your organization’s risk.
While AWS offers comprehensive security for their data centers and internal security, each customer is accountable for safeguarding the data and resources they host in their AWS platforms. In other words, the cloud provider is responsible for the security OF the cloud, while the customer is responsible for their security IN the cloud. It is up to the customer to properly utilize and configure the security features that AWS makes available. In this post, we’ll provide an AWS security best practices checklist to secure your organization’s information IN the cloud.
At LMG, we recommend using a baseline, such as the Center for Internet Security (CIS) Amazon Web Services Foundations Benchmark, to help you prioritize and assess your AWS security posture now and over time. Since the number of services and benchmarks available can quickly become overwhelming, we have curated a list of AWS security best practices to help you enhance the security of your AWS infrastructure.
Controlling access to your AWS environment is the most important security control as it specifies who or what can access the services and resources you host in AWS. AWS has a built-in tool called Identity and Access Management (IAM), which gives you centralized control and audit capabilities to grant and verify access in a single dashboard. One of the most important steps within IAM is securing the ‘root’ account. When creating a new AWS account, a default super-user is automatically created, called the ‘root’ account. Do not use the root account for daily tasks and put strict controls around your root credentials. The root account should only be used to perform the specific tasks that only the root user can perform. For more information on IAM in general, please read our IAM report detailing why it was selected as one of our top controls for 2023.
Additional IAM controls include:
AWS Organizations offers a robust account management solution that allows you to centralize and consolidate multiple AWS accounts into a single, organizationally controlled entity. With AWS Organizations, you gain access to essential features such as account management and consolidated billing, designed to enhance your ability to align your budgetary, security, and compliance requirements. As the organization’s administrator, you have the flexibility to create new accounts within your organization and extend invitations to existing accounts to become part of this centralized structure. Within AWS Organizations, you can implement Service Control Policies (SCPs) to enforce security and compliance across accounts.
Just as you must protect your on-prem network using items like firewalls, policies, and segmentation, you must adopt controls to protect the logical network in AWS. The first step to securing your AWS network is to set up a Virtual Private Cloud (VPC) to isolate your resources. Designing a VPC takes time and forethought, factoring in the types of services and resources you host in AWS and who or what needs access to them.
Once your VPC is set up to logically separate access based on your business needs, you should employ security groups and Network Access Control Lists (NACLs) to control inbound and outbound traffic. It is important here to ensure that your NACLs protect your remote server administration ports, such as SSH or RDP, and do not expose those interfaces to the Internet. Additionally, if you host web applications that are accessed by the Internet, use AWS Web Application Firewall (WAF) to protect web applications from common attacks.
So far in our AWS security best practices checklist, we’ve covered controls around identity and network-oriented access. Now let’s look at how encryption can complement those controls. Encryption is a critical component of a defense-in-depth strategy and can help bolster your security posture or help mitigate potential weaknesses in your access controls. As with any service, you need to worry about encrypting data-at-rest and data-in-transit, which is a big task.
Fortunately, all AWS services automatically encrypt customer data-in-transit with TLS. However, it is your responsibility to confirm that data going to and from your AWS services are encrypted. For example, HTTPS for web servers, SFTP for file transfers, or requiring HTTPS for Amazon S3. To this end, you must identify all communication to/from your AWS services and ensure encrypted protocols are in place.
Encrypting data-at-rest in AWS is crucial and may seem daunting. However, AWS offers tools like AWS Key Management Service (KMS) and Server-Side Encryption (SSE) for this purpose. Use these services to protect your data in a digital fortress, rendering it unreadable without the key.
The first step on this path to data nirvana involves compiling an inventory of everywhere you store data within your AWS environment and the sensitivity of that data. Are we talking about S3 buckets, Amazon Elastic Block Storage (EBS) volumes, or perhaps the Amazon Elastic File System (EFS)? Once you’ve pinpointed these digital treasure chests, the next move is to establish policies that will enforce your encryption requirements and protect your encryption keys using the KMS and SSE services.
Logging and monitoring can help you detect and respond to security threats in real-time as well as fulfill compliance obligations. LMG recommends that you turn on AWS CloudTrail to keep a record of what people do in your AWS account. This provides an audit trail in the event something goes wrong and provides granular logging transparency so that administrators can ensure tasks are being completed correctly and rules are being followed.
Next, create alerts using Amazon CloudWatch to monitor how many resources are being used and to automate checks on overall tenant security. This is like setting up alarms to warn you if something goes wrong so you can respond accordingly.
Finally, use AWS Config to look at how your resources are set up and make sure they match the configuration requirements you have set. This helps keep everything in check and make sure configurations are centrally managed and controlled.
Last but not least in our AWS security best practices checklist is having an AWS data backup and recovery plan. A common saying among IT Administrators is: “It’s not if you’ll need backups, but when.” Don’t let your AWS data fall under the radar just because they boast “99.999999999%” data durability. Yes, the backend AWS architecture is extremely reliable, but there are other ways your data could become corrupt. So do your future self a favor and regularly back up your data using something like Amazon S3 or Amazon EBS snapshots. It should go without saying, but once your automated backup procedures are set up – test, test, test. You don’t want all your hard work setting up backups to go to waste when the time comes because you failed to test a restoration.
Remember that AWS provides various security tools and services, and the best practices may vary depending on your specific use case and requirements. Do your best to stay up to date by taking training classes, watching for changing threats and technologies, and adapting your strategy accordingly. AWS’s official documentation (or even ‘AWS for Dummies’!) offers a treasure trove of information to help you implement your security requirements.
We hope you found this AWS security best practices checklist helpful! Please contact us if you need help with assessing your AWS security controls. We regularly help clients assess their AWS security posture through our Cloud Security Review service. Our team of security experts is ready to help!
Paul is the Chief Information Officer at LMG Security. Graduating from the University of Montana with a Business MIS degree, Paul jumped right into system and network administration roles. Paul has performed various roles over his 8-year tenure at LMG, including IT Manager, Project Manager, Senior Cybersecurity Consultant, Data Privacy Officer, and Chief Information Officer. Paul regularly guest teaches a class on cybersecurity at the University of Montana, and his current certifications include CISSP, OSCP, OSWP, Fortinet Network Security Professional (NSE4) and more.